b'NOTE: Because this report assesses potential vulnerabilities in IT security, only a summary of\nthe report is posted.\n\nReport Title: Review of NARA\xe2\x80\x99s Information Security Program\nReport Number: 06-09\nDate Issued: August 9, 2006\n\nReview of NARA\xe2\x80\x99s Information Security Program\nThe overall objective of our review was to determine if the National Archives and Record\nAdministration is making satisfactory progress establishing an information security program that\nincludes appropriate controls required by federal legislation. Specifically, we sought to\ndetermine whether or not NARA (a) has up-to-date, documented security policies; (b) has\ndocumented procedures and controls to implement the policies; (c) has implemented the security\nprocedures and controls, and reinforced them through training; (d) routinely tests and reviews the\nadequacy and effectiveness of its procedures and controls; and (e) has successfully integrated the\npolicies, procedures, and controls into a comprehensive security program that is an integral part\nof its organizational culture.\n\nOur review revealed that (a) NARA\xe2\x80\x99s network perimeter/firewall security needs improvement;\n(b) the agency\xe2\x80\x99s computer network operating system software and electronic message software\ndo not ensure a secure computing environment for the agency\xe2\x80\x99s computer network users; (c)\nNARA officials have not established a 24-hours-per-day/7-days-per-week computer security\nincident response capability; performed any testing to ensure that the computer incident response\nteam will function in the most efficient and effective manner possible; or conducted post incident\nactivities in accordance with the guidance in National Institute of Standards and Technology\nSpecial Publication 800-61, Computer Security Incident Handling Guide, and the NARA\nComputer Security Incident Handling Guide; (d) in the area of contingency planning, NARA\xe2\x80\x99s\nrecovery strategy for quickly and effectively restoring its mission critical IT systems after a\nsevere service disruption or disaster is inadequate; contingency plans were not prepared for two\nof NARA\xe2\x80\x99s IT systems; the NH Disaster Recovery Plan was inadequate (i.e., critical information\nwas missing from the plan) and, of 28 mission critical and non-mission critical IT systems\nreviewed, none had a plan for testing its contingency plan, nor had any testing been\naccomplished; and (e) improvement is needed in NARA\xe2\x80\x99s security certification and accreditation\nprocess, specifically, the preparation, maintenance, and update of system security plans;\npreparation of plans of action and milestones; and tasks associated with the continuous\nmonitoring process.\n\nWe made 12 recommendations that, when implemented by management, will assist the agency in\nestablishing an information security program that meets the Federal Information Security\nManagement Act and the National Institute of Standards and Technology requirements, and will\neliminate the need to report information security as a material weakness in the FMFIA report.\nManagement concurred with two recommendations, partially concurred with two\nrecommendations, and nonconcurred with eight recommendations in the report. The report is\ncurrently being reviewed by the Archivist of the United States.\n\x0c'